@@ -129,12 +129,13 @@ private function updateCspHeaders(Response $response, array $nonces = []): array
129
129
continue ;
130
130
}
131
131
if (!isset ($ headers [$ header ][$ type ])) {
132
- if (isset ($ headers [$ header ]['default-src ' ])) {
133
- $ headers [$ header ][$ type ] = $ headers [$ header ]['default-src ' ];
134
- } else {
135
- // If there is no script-src/style-src and no default-src, no additional rules required.
132
+ $ fallback = $ this ->getDirectiveFallback ($ directives , $ type );
133
+ if (null === $ fallback ) {
134
+ // If there is no directive and no fallback, no additional rules required.
136
135
continue ;
137
136
}
137
+
138
+ $ headers [$ header ][$ type ] = $ fallback ;
138
139
}
139
140
$ ruleIsSet = true ;
140
141
if (!\in_array ('\'unsafe-inline \'' , $ headers [$ header ][$ type ], true )) {
@@ -197,11 +198,8 @@ private function parseDirectives(string $header): array
197
198
*/
198
199
private function authorizesInline (array $ directivesSet , string $ type ): bool
199
200
{
200
- if (isset ($ directivesSet [$ type ])) {
201
- $ directives = $ directivesSet [$ type ];
202
- } elseif (isset ($ directivesSet ['default-src ' ])) {
203
- $ directives = $ directivesSet ['default-src ' ];
204
- } else {
201
+ $ directives = $ directivesSet [$ type ] ?? $ this ->getDirectiveFallback ($ directivesSet , $ type );
202
+ if (null === $ directives ) {
205
203
return false ;
206
204
}
207
205
@@ -225,6 +223,16 @@ private function hasHashOrNonce(array $directives): bool
225
223
return false ;
226
224
}
227
225
226
+ private function getDirectiveFallback (array $ directiveSet , string $ type ): ?array
227
+ {
228
+ if (\in_array ($ type , ['script-src-elem ' , 'style-src-elem ' ], true )) {
229
+ // Let the browser fallback on it's own
230
+ return null ;
231
+ }
232
+
233
+ return $ directiveSet ['default-src ' ] ?? null ;
234
+ }
235
+
228
236
/**
229
237
* Retrieves the Content-Security-Policy headers (either X-Content-Security-Policy or Content-Security-Policy) from
230
238
* a response.
0 commit comments